bin/dnssec/dnssec-signzone.c

	dnssec-signzone.c revision ae83dbc8817912ebce47559b1010e2c3b7715715
80c70837963eb58bd41a4d53367bfd4b1c04439eAutomatic Updater
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <config.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <stdio.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <stdlib.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <string.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/types.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/assertions.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/boolean.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/buffer.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/error.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/mem.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <isc/stdtime.h>
28a8f5b0de57d269cf2845c69cb6abe18cbd3b3aMark Andrews
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/types.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/name.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/fixedname.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/db.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/dbiterator.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/rdata.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/rdatalist.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/rdataset.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/rdatasetiter.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/rdatastruct.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/result.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/dnssec.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/keyvalues.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dns/nxt.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#include <dst/dst.h>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#define MAXKEYS 10
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt              == DNS_KEYOWNER_ZONE)
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntstatic isc_mem_t *mctx = NULL;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntstatic inline void
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Huntfatal(char *message) {
de52784e45e3a7a92c0d8ad843eb4db313bbfd97Mark Andrews    fprintf(stderr, "%s\n", message);
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews    exit(1);
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt}
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Huntstatic inline void
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntcheck_result(isc_result_t result, char *message) {
ef9f4d097794609e018963087fab10a8b51d8ad1Mark Andrews    if (result != ISC_R_SUCCESS) {
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews        fprintf(stderr, "%s: %s\n", message,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            isc_result_totext(result));
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt        exit(1);
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    }
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt}
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt
b4d8192d210290112e07b0e22b491c45c50ba696Evan Huntstatic void
b4d8192d210290112e07b0e22b491c45c50ba696Evan Huntset_bit(unsigned char *array, unsigned int index, unsigned int bit) {
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt    unsigned int byte, shift, mask;
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt    byte = array[index / 8];
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    shift = 7 - (index % 8);
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    mask = 1 << shift;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    if (bit)
215ef83bbed20727813a52ddcdbcd1455856638bMark Andrews        array[index / 8] |= mask;
215ef83bbed20727813a52ddcdbcd1455856638bMark Andrews    else
215ef83bbed20727813a52ddcdbcd1455856638bMark Andrews        array[index / 8] &= (~mask & 0xFF);
215ef83bbed20727813a52ddcdbcd1455856638bMark Andrews}
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntstatic void
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntsign_with_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt          dns_rdatalist_t *sigrdatalist, isc_stdtime_t *now,
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt          isc_stdtime_t *later, dst_key_t *key,
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt          unsigned char *array, int len)
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews{
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews    isc_buffer_t b;
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews    isc_region_t r;
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews    isc_result_t result;
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews
42cf2ff7bad81c5a1f5d3be29d06e12504c3af24Evan Hunt    r.base = array;
42cf2ff7bad81c5a1f5d3be29d06e12504c3af24Evan Hunt    r.length = len;
42cf2ff7bad81c5a1f5d3be29d06e12504c3af24Evan Hunt    memset(r.base, 0, r.length);
42cf2ff7bad81c5a1f5d3be29d06e12504c3af24Evan Hunt
42cf2ff7bad81c5a1f5d3be29d06e12504c3af24Evan Hunt    dns_rdata_init(rdata);
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt    isc_buffer_init(&b, r.base, r.length, ISC_BUFFERTYPE_BINARY);
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt    result = dns_dnssec_sign(name, rdataset, key, now, later,
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt                 mctx, &b, rdata);
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt    check_result(result, "dns_dnssec_sign()");
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt    result = dns_dnssec_verify(name, rdataset, key, mctx, rdata);
de52784e45e3a7a92c0d8ad843eb4db313bbfd97Mark Andrews    check_result(result, "dns_dnssec_verify()");
de52784e45e3a7a92c0d8ad843eb4db313bbfd97Mark Andrews    ISC_LIST_APPEND(sigrdatalist->rdata, rdata, link);
de52784e45e3a7a92c0d8ad843eb4db313bbfd97Mark Andrews}
de52784e45e3a7a92c0d8ad843eb4db313bbfd97Mark Andrews
de52784e45e3a7a92c0d8ad843eb4db313bbfd97Mark Andrewsstatic void
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrewsgenerate_sig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews         dns_name_t *name, dst_key_t **keys, isc_boolean_t *defaultkey,
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews         int nkeys)
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews{
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews    isc_result_t result;
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Hunt    dns_rdata_t rdata, rdatas[MAXKEYS];
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Hunt    dns_rdataset_t rdataset, sigrdataset, oldsigset;
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Hunt    dns_rdatalist_t sigrdatalist;
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Hunt    dns_rdatasetiter_t *rdsiter;
8a2ab2b9203120c3e2a883a5ee8c0b5d60c1808cEvan Hunt    isc_stdtime_t now, later;
ef9f4d097794609e018963087fab10a8b51d8ad1Mark Andrews    unsigned char array[MAXKEYS][1024];
ef9f4d097794609e018963087fab10a8b51d8ad1Mark Andrews    int i;
ef9f4d097794609e018963087fab10a8b51d8ad1Mark Andrews    isc_boolean_t alreadysigned;
ef9f4d097794609e018963087fab10a8b51d8ad1Mark Andrews
ef9f4d097794609e018963087fab10a8b51d8ad1Mark Andrews    dns_rdataset_init(&rdataset);
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    rdsiter = NULL;
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    check_result(result, "dns_db_allrdatasets()");
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    result = dns_rdatasetiter_first(rdsiter);
4e8fe357a619ae2b789b15df7e3d6abf782b4a71Evan Hunt    while (result == ISC_R_SUCCESS) {
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews        dns_rdatasetiter_current(rdsiter, &rdataset);
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews        if (rdataset.type == dns_rdatatype_sig ||
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews            (rdataset.type == dns_rdatatype_key &&
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews             dns_name_compare(name, dns_db_origin(db)) == 0))
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt        {
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt            dns_rdataset_disassociate(&rdataset);
5a75f61dd413720c16d229b24ebba6bd6ecdb738Evan Hunt            result = dns_rdatasetiter_next(rdsiter);
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            continue;
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt        }
99cbc3d3a4dcbd203146f62e37478aee1c8ee673Evan Hunt
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt        dns_rdataset_init(&oldsigset);
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt        result = dns_db_findrdataset(db, node, version,
                         dns_rdatatype_sig, rdataset.type,
                         0, &oldsigset, NULL);
        if (result == ISC_R_SUCCESS)
            alreadysigned = ISC_TRUE;
        else if (result == ISC_R_NOTFOUND) {
            alreadysigned = ISC_FALSE;
            result = ISC_R_SUCCESS;
        }
        else
            alreadysigned = ISC_FALSE; /* not that this matters */
        check_result(result, "dns_db_findrdataset()");

        if (rdataset.type == dns_rdatatype_nxt && !alreadysigned) {
            unsigned char *nxt_bits;
            dns_name_t nxtname;
            isc_region_t r, r2;

            result = dns_rdataset_first(&rdataset);
            check_result(result, "dns_rdataset_first()");
            dns_rdataset_current(&rdataset, &rdata);
            dns_rdata_toregion(&rdata, &r);
            dns_name_init(&nxtname, NULL);
            dns_name_fromregion(&nxtname, &r);
            dns_name_toregion(&nxtname, &r2);
            nxt_bits = r.base + r2.length;
            set_bit(nxt_bits, dns_rdatatype_sig, 1);

        }

        isc_stdtime_get(&now);
        later = 100000 + now;
        ISC_LIST_INIT(sigrdatalist.rdata);

        if (!alreadysigned) {
            for (i = 0; i < nkeys; i++) {
                if (!defaultkey[i])
                    continue;
                sign_with_key(name, &rdataset, &rdatas[i],
                          &sigrdatalist, &now, &later,
                          keys[i], array[i],
                          sizeof(array[i]));
            }
        }
        else {
            dns_rdata_t sigrdata;
            dns_rdata_generic_sig_t sig;

            dns_rdata_init(&sigrdata);
            result = dns_rdataset_first(&oldsigset);
            while (result == ISC_R_SUCCESS) {
                dns_rdataset_current(&oldsigset, &sigrdata);
                result = dns_rdata_tostruct(&sigrdata, &sig,
                                mctx);
                check_result(result, "dns_rdata_tostruct()");
                for (i = 0; i < nkeys; i++) {
                    dst_key_t *key = keys[i];
                    if (dst_key_id(key) == sig.keyid &&
                        dst_key_alg(key) == sig.algorithm)
                        break;
                }
                if (i == nkeys) {
                    result = dns_rdataset_next(&oldsigset);
                    dns_rdata_freestruct(&sig);
                    printf("couldn't find key");
                    continue;
                }
                sign_with_key(name, &rdataset, &rdatas[i],
                          &sigrdatalist, &now, &later,
                          keys[i], array[i],
                          sizeof(array[i]));

                dns_rdata_freestruct(&sig);
                result = dns_rdataset_next(&oldsigset);
            }
            dns_rdataset_disassociate(&oldsigset);
        }

        sigrdatalist.rdclass = rdataset.rdclass;
        sigrdatalist.type = dns_rdatatype_sig;
        sigrdatalist.covers = rdataset.type;
        sigrdatalist.ttl = rdataset.ttl;
        dns_rdataset_init(&sigrdataset);
        result = dns_rdatalist_tordataset(&sigrdatalist, &sigrdataset);
        check_result(result, "dns_rdatalist_tordataset");
        result = dns_db_addrdataset(db, node, version, 0, &sigrdataset,
                        ISC_FALSE, NULL);
        if (result == DNS_R_UNCHANGED)
            result = ISC_R_SUCCESS;
        check_result(result, "dns_db_addrdataset");
        dns_rdataset_disassociate(&sigrdataset);

        dns_rdataset_disassociate(&rdataset);
        result = dns_rdatasetiter_next(rdsiter);
    }
    if (result != DNS_R_NOMORE)
        fatal("rdataset iteration failed");
    dns_rdatasetiter_destroy(&rdsiter);
}

static inline isc_boolean_t
active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
    dns_rdatasetiter_t *rdsiter;
    isc_boolean_t active = ISC_FALSE;
    isc_result_t result;
    dns_rdataset_t rdataset;

    dns_rdataset_init(&rdataset);
    rdsiter = NULL;
    result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
    check_result(result, "dns_db_allrdatasets()");
    result = dns_rdatasetiter_first(rdsiter);
    while (result == ISC_R_SUCCESS) {
        dns_rdatasetiter_current(rdsiter, &rdataset);
        if (rdataset.type != dns_rdatatype_nxt)
            active = ISC_TRUE;
        dns_rdataset_disassociate(&rdataset);
        if (!active)
            result = dns_rdatasetiter_next(rdsiter);
        else
            result = DNS_R_NOMORE;
    }
    if (result != DNS_R_NOMORE)
        fatal("rdataset iteration failed");
    dns_rdatasetiter_destroy(&rdsiter);

    if (!active) {
        /*
         * Make sure there is no NXT record for this node.
         */
        result = dns_db_deleterdataset(db, node, version,
                           dns_rdatatype_nxt);
        if (result == DNS_R_UNCHANGED)
            result = ISC_R_SUCCESS;
        check_result(result, "dns_db_deleterdataset");
    }

    return (active);
}

static inline isc_result_t
next_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
        dns_name_t *name, dns_dbnode_t **nodep)
{
    isc_result_t result;
    isc_boolean_t active;

    do {
        active = ISC_FALSE;
        result = dns_dbiterator_current(dbiter, nodep, name);
        if (result == ISC_R_SUCCESS) {
            active = active_node(db, version, *nodep);
            if (!active) {
                dns_db_detachnode(db, nodep);
                result = dns_dbiterator_next(dbiter);
            }
        }
    } while (result == ISC_R_SUCCESS && !active);

    return (result);
}

static void
sign(char *filename) {
    isc_result_t result, nxtresult;
    dns_db_t *db;
    dns_dbversion_t *wversion;
    dns_dbnode_t *node, *nextnode, *curnode;
    char *origintext;
    dns_fixedname_t fname, fnextname;
    dns_name_t *name, *nextname, *target, curname;
    isc_buffer_t b;
    size_t len;
    dns_dbiterator_t *dbiter;
    char newfilename[1024];
    dst_key_t *keys[MAXKEYS];
    isc_boolean_t defaultkey[MAXKEYS];
    unsigned char curdata[1024];
    isc_buffer_t curbuf;
    unsigned int nkeys = 0;
    int i;

    dns_fixedname_init(&fname);
    name = dns_fixedname_name(&fname);
    dns_fixedname_init(&fnextname);
    nextname = dns_fixedname_name(&fnextname);

    origintext = strrchr(filename, '/');
    if (origintext == NULL)
        origintext = filename;
    else
        origintext++;   /* Skip '/'. */
    len = strlen(origintext);
    isc_buffer_init(&b, origintext, len, ISC_BUFFERTYPE_TEXT);
    isc_buffer_add(&b, len);
    result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
    check_result(result, "dns_name_fromtext()");
    db = NULL;
    result = dns_db_create(mctx, "rbt", name, ISC_FALSE,
                   dns_rdataclass_in, 0, NULL, &db);
    check_result(result, "dns_db_create()");
    result = dns_db_load(db, filename);
    check_result(result, "dns_db_load()");

    node = NULL;
    result = dns_db_findnode(db, name, ISC_FALSE, &node);
    check_result(result, "dns_db_findnode()");
    result = dns_dnssec_findzonekeys(db, NULL, node, name, mctx, MAXKEYS,
                     keys, &nkeys);
    check_result(result, "dns_dnssec_findzonekeys()");
    dns_db_detachnode(db, &node);
    for (i = 0; i < nkeys; i++)
        defaultkey[i] = ISC_TRUE;

    wversion = NULL;
    result = dns_db_newversion(db, &wversion);
    check_result(result, "dns_db_newversion()");

    dbiter = NULL;
    result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
    check_result(result, "dns_db_createiterator()");
    result = dns_dbiterator_first(dbiter);
    node = NULL;
    result = next_active(db, wversion, dbiter, name, &node);
    while (result == ISC_R_SUCCESS) {
        nextnode = NULL;
        curnode = NULL;
        dns_name_init(&curname, NULL);
        isc_buffer_init(&curbuf, curdata, sizeof(curdata),
                ISC_BUFFERTYPE_BINARY);
        dns_name_setbuffer(&curname, &curbuf);
        dns_dbiterator_current(dbiter, &curnode, &curname);
        result = dns_dbiterator_next(dbiter);
        if (result == ISC_R_SUCCESS)
            result = next_active(db, wversion, dbiter, nextname,
                         &nextnode);
        if (result == ISC_R_SUCCESS)
            target = nextname;
        else if (result == DNS_R_NOMORE)
            target = dns_db_origin(db);
        else {
            target = NULL;  /* Make compiler happy. */
            fatal("db iteration failed");
        }
        nxtresult = dns_buildnxt(db, wversion, node, target);
        check_result(nxtresult, "dns_buildnxt()");
        generate_sig(db, wversion, node, &curname, keys, defaultkey,
                 nkeys);
        dns_name_invalidate(&curname);
        dns_db_detachnode(db, &node);
        dns_db_detachnode(db, &curnode);
        node = nextnode;
    }
    if (result != DNS_R_NOMORE)
        fatal("db iteration failed");
    dns_dbiterator_destroy(&dbiter);
    /*
     * XXXRTH  For now, we don't increment the SOA serial.
     */
    dns_db_closeversion(db, &wversion, ISC_TRUE);
    len = strlen(filename);
    if (len + 4 + 1 > sizeof newfilename)
        fatal("filename too long");
    sprintf(newfilename, "%s.new", filename);
    result = dns_db_dump(db, NULL, newfilename);
    check_result(result, "dns_db_dump");
    dns_db_detach(&db);
    for (i = 0; i < nkeys; i++)
        dst_key_free(keys[i]);
}

int
main(int argc, char *argv[]) {
    int i;
    isc_result_t result;

    dns_result_register();

    result = isc_mem_create(0, 0, &mctx);
    check_result(result, "isc_mem_create()");

    argc--;
    argv++;

    for (i = 0; i < argc; i++)
        sign(argv[i]);

    isc_mem_stats(mctx, stdout);
    isc_mem_destroy(&mctx);

    return (0);
}